Subject: Re: problem with download-vulnerability-list
To: Alistair Crooks <agc@wasabisystems.com>
From: Steven M. Bellovin <smb@research.att.com>
List: netbsd-users
Date: 07/28/2003 09:46:01
In message <20030728122302.GC19735@nef.pbox.org>, Alistair Crooks writes:


>David's suggestion about "wc -l" would be an excellent short-term
>move, I think, but I'd like to sort this out properly long-term, and
>I'm all ears for any suggestions that do not involve downloading
>extra files. The current ideas that occur to me are:
>
>1. an explicit EOF token placed in the file (from david@)
>2. use "wc -l" to calculate lines rather than character size of file
>   (from abs@)
>3. download 1 file, which is a shar including vulnerabilities file,
>   digest and/or timestamp.
>4. send out via SMTP changes notices whenever the file has changed
>5. add an "integrity check" file containing sha1 and digest (from smb@,
>   discussed above).
>
>Does anyone have any other ideas?

http to a cgi script?  But that only guards against transmission 
failures, not against bad updates.  See
http://catless.ncl.ac.uk/Risks/19.25.html#subj1.1
for an example of the kind of failure I'm worried about.


		--Steve Bellovin, http://www.research.att.com/~smb